How to Build and Validate Ransomware Attack Detections (Secure360)
•Transferir como PPTX, PDF•
0 gostou•426 visualizações
Ransomware is a strategy for adversaries to make money – a strategy that’s proven successful. During this presentation, we will cover how ransomware works, ransomware trends to watch, best practices for prevention, and more. At the core of the discussion, Scott will explain how to build detections for common tactics, techniques, and procedures (TTPs) used by ransomware families and how to validate they work, ongoing, as part of the larger security program. Participants will leave this webinar with actionable advice to ensure their organization is more resilient to ever-evolving ransomware attacks.
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a How to Build and Validate Ransomware Attack Detections (Secure360)
Semelhante a How to Build and Validate Ransomware Attack Detections (Secure360) (20)
Mais de Scott Sutherland
Mais de Scott Sutherland (20)
Último
Último (20)
How to Build and Validate Ransomware Attack Detections (Secure360)
- 1. S E C U R E 3 6 0
- 2. What is Ransomware? What is it and how does it work? Trends What are we seeing in the long term? Prevention Strategies to prevent infection in the first place. Detection Strategies to detect infection after it occurs.
- 5. 1: Make it too risky for those responsible 2: Make it less profitable when achieved 3: Make it harder to break in and stay in Develop better strategies for detection and prevention
- 6. Exploit Developer Identifies vulnerabilities in software and weaponizes them for sale. Threat Actor, Group, or Access Broker (Affiliates) Break into networks using a variety of techniques and deploy ransomware software. Or sell access. Software Developer Create ransomware software that can encrypt files, provide communication channel, and decrypt files.
- 13. • • • • •
- 14. • • • • •
- 17. • • • • • • • •
- 22. 3. Help organizations prepare 1. Deter ransomware attacks 2. Disrupt the ransomware business model 4. Respond to ransomware attacks more effectively
- 23. Reference: https://www.bleepingcomputer.com/news/security/conti-revil-lockbit-ransomware-bugs-exploited-to-block-encryption/ • • • • a security researcher named hyp3rlinx found that the samples were vulnerable to DLL hijacking…” “..the researcher says that their exploit allows executing code to “control and terminate the malware pre-encryption.”
- 25. What can I do to prevent ransomware threat actors from getting in?
- 26. What can I do to prevent ransomware threat actors from getting in? Our definition of a “vulnerability” has changed.
- 27. What can I do to prevent ransomware threat actors from getting in? Our definition of a “vulnerability” has changed. not just a missing patch
- 28. What can I do to prevent ransomware threat actors from getting in? Our definition of a “vulnerability” has changed. not just a missing patch not just a weak configuration
- 29. What can I do to prevent ransomware threat actors from getting in? Our definition of a “vulnerability” has changed. not just a missing patch not just a weak configuration not just insecure code
- 30. What can I do to prevent ransomware threat actors from getting in? Our definition of a “vulnerability” has changed. not just a missing patch not just a weak configuration not just insecure code Exploitation doesn’t require any of these.
- 31. We need to start thinking about malicious behavior as a vulnerability.
- 32. The definition of “vulnerability” needs to be extended to include detection gaps. We need to start thinking about malicious behavior as a vulnerability.
- 33. We need to start thinking about malicious behavior as a vulnerability. The definition of “vulnerability” needs to be extended to include detection gaps. You can’t prevent what you can’t detect.
- 34. Alert Coverage Industry Trends *Based on NetSPI’s research. 23% 2021 77% Visible Alerts Blind exposure 15% 2019 85% Visible Alerts Blind exposure
- 35. Why are the industry averages still so low? • Security products only deploy high-fidelity detections • MSSP services only deploy high-fidelity detections • MSSP contracts can be restrictive and expensive • Missing & broken data sources: You can’t generate alerts based on data you’re not collecting! 23% 2021 77% Visible Alerts Blind exposure
- 36. % Improved % N/A (New Tests) % Worse % Unchanged Alert Coverage Year over Year *Single Client Example
- 37. 100% alert coverage is not possible. well known secret
- 38. KILL CHAIN: BEHAVIOR OPTIONS Escalate Paid Deploy Target Remove Exfiltrate Access Our goal should be to detect the threat actors before they accomplish their goal ! BREAK the cyber kill chain!
- 39. Between 60% and 80% alert coverage, is a realistic target. It requires choosing the TTPs to cover for your business. 100% alert coverage is NOT required.
- 40. 2 Multi-Factor Authentication should be enabled on all management interfaces exposed to the internet. That includes all SaaS and cloud partners. Passwordless authentication. Tabletop exercises are not enough! • Miss disconnects between paper and reality - blind spots • Can generate conclusions based on incomplete or inaccurate information • Can overlook breakdowns at the strategic, operational, and tactical levels 1 Attack Surface Reduction wherever possible. Especially for internet facing systems and applications. Asset inventory and attack surface monitoring. • Driven by a Least privilege and the secure by default mindset. • Detective control lifecycle should be managed in similar way. • Emerging role of detection engineer; works with IR/SOC/TI • https://attack.mitre.org/mitigations/enterprise/ 3 Vulnerability Management should continue to be a priority. At a minimum, it should include asset, configuration, patch, application, Active Directory, and cloud management. 5 Segment and Isolate sensitive systems, applications, data and privileges to help slow down and/or block threat actors. Don’t forget about your management & backup platforms! 6 Test All of Your Controls regularly through security audits, penetration tests, detective control reviews, and security awareness training. Continuous testing. Trust but verify! 4 Protect & Validate Recovery Capabilities When was the last time you tried to restore a backup, and how long would that take for the entire company? Immutable & offline.
- 41. Open-Source Software Inventory Share Access in Active Directory environments automatically Identify HIGH RISK Shares based on common names, files, and privileges Prioritize Remediation using environment specificanalytics
- 46.
- 52. ? ? ? ? ? ? ?
- 65. Adversary Group Uses Accomplishes Prevents Tactic Mitigation Software Uses Procedure Technique / Sub Technique Implements Data Source Creates Artifacts +
- 66. Adversary Group Uses Accomplishes Prevents Tactic Mitigation Software Uses Procedure Technique / Sub Technique Implements Data Source Creates Artifacts Identifies Uses Detection +
- 72. • • •
- 75. Now you can measure your visibility for the psexec procedure
- 81. 28 TTP Tests
- 82. 8 TTP Blind Spots 28 TTP Tests Determine TTP Visibility by Tactic
- 83. 8 TTP Blind Spots 28 TTP Tests Determine TTP Visibility by Tactic
- 91. 16,384 Attack Paths Identify TTP Detection Blind Spots 8 28% Blind 72% Visible TTP Blind Spots
- 92. Blind Attack Paths 16,384 Attack Paths Identify Blind Attack Paths 28% Blind .0001% Blind 72% Visible TTP Blind Spots Blind Attack Paths 2 99.9998% Visible 8
- 93. 2 Choke Points 16,384 Attack Paths 28% Blind .0001% Blind 72% Visible TTP Blind Spots Blind Attack Paths 2 99.9998% Visible 8 Identify Choke Points
- 94. 2 Choke Points 16,384 Attack Paths 28% Blind .0001% Blind 72% Visible TTP Blind Spots Blind Attack Paths 2 99.9998% Visible 8 Use Threat Intel and Current Resources to Prioritize
- 96. • • •
Notas do Editor
- ISSUE We are catching ransomware too late in the cyber kill chain! SOLUTION Today we’ll talk about trying to be less dependent on malware specific IoCs Move towards developing behavior-based detections that are threat actor agnostic That way we can detect threat actors further up the cyber kill chain. BONUS * If done well, can allow companies to: better measure the real detection coverage develop key performance indicators to help guide/track our development/investments
- Together this group of profiles creates an ecosystem that support Ransomware as a Service (RaaS). Ransomware as a service (RaaS) is a subscription-based model that enables affiliates to use already-developed ransomware tools to execute ransomware attacks. Affiliates earn a percentage of each successful ransom payment.
- Here is a generic *very* high level RaaS workflow. 1. Ransomware dev creates ransomware. They may do exploit dev as well. 2. Ransomware dev works with threat actor/group/access broker. 3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client. 4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted. 5. Victim pays 6. The money get laundered. 7. The developers and access brokers get paid. 8. The decryption key is provided to the victim. 9. Data is recovered. Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used. Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets. The highlighted section is the only thing we can control, so how can we better understand and defend here?
- This is a simplified kill chain that reads left to right.
- Attacks are on the rise again Opportunistic feeds targeted
- Ransomware Task Force saw about 27% paying in 2020. https://www.trellix.com/en-us/threat-center/threat-reports/apr-2022.html https://www.sophos.com/en-us/content/state-of-ransomware
- Getting clear information is hard. We only see what is reported The sample have their own bias – government, IR, insurance Example: Q3 to Q4 of last year, Trellix says the quantity of ransomware attacks being detected by its U.S.-based clients declined by 61% https://www.trellix.com/en-us/threat-center/threat-reports/apr-2022.html https://www.sophos.com/en-us/content/state-of-ransomware https://newsroom.nccgroup.com/news/ncc-group-monthly-threat-pulse-march-2022-446743 https://securityandtechnology.org/ransomwaretaskforce/ https://securityandtechnology.org/ransomwaretaskforce/report/
- Deter REvil left the stage after a coordinated takedown of their infrastructure, several internal disputes, and members being arrested," says Trellix
- Here is a generic *very* high level RaaS workflow. 1. Ransomware dev creates ransomware. They may do exploit dev as well. 2. Ransomware dev works with threat actor/group/access broker. 3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client. 4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted. 5. Victim pays 6. The money get laundered. 7. The developers and access brokers get paid. 8. The decryption key is provided to the victim. 9. Data is recovered. Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used. Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets. The highlighted section is the only thing we can control, so how can we better understand and defend here?
- Here is a generic *very* high level RaaS workflow. 1. Ransomware dev creates ransomware. They may do exploit dev as well. 2. Ransomware dev works with threat actor/group/access broker. 3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client. 4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted. 5. Victim pays 6. The money get laundered. 7. The developers and access brokers get paid. 8. The decryption key is provided to the victim. 9. Data is recovered. Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used. Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets. The highlighted section is the only thing we can control, so how can we better understand and defend here?
- Here is a generic *very* high level RaaS workflow. 1. Ransomware dev creates ransomware. They may do exploit dev as well. 2. Ransomware dev works with threat actor/group/access broker. 3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client. 4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted. 5. Victim pays 6. The money get laundered. 7. The developers and access brokers get paid. 8. The decryption key is provided to the victim. 9. Data is recovered. Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used. Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets. The highlighted section is the only thing we can control, so how can we better understand and defend here?
- Here is a generic *very* high level RaaS workflow. 1. Ransomware dev creates ransomware. They may do exploit dev as well. 2. Ransomware dev works with threat actor/group/access broker. 3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client. 4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted. 5. Victim pays 6. The money get laundered. 7. The developers and access brokers get paid. 8. The decryption key is provided to the victim. 9. Data is recovered. Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used. Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets. The highlighted section is the only thing we can control, so how can we better understand and defend here?
- Here is a generic *very* high level RaaS workflow. 1. Ransomware dev creates ransomware. They may do exploit dev as well. 2. Ransomware dev works with threat actor/group/access broker. 3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client. 4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted. 5. Victim pays 6. The money get laundered. 7. The developers and access brokers get paid. 8. The decryption key is provided to the victim. 9. Data is recovered. Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used. Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets. The highlighted section is the only thing we can control, so how can we better understand and defend here?
- Here is a generic *very* high level RaaS workflow. 1. Ransomware dev creates ransomware. They may do exploit dev as well. 2. Ransomware dev works with threat actor/group/access broker. 3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client. 4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted. 5. Victim pays 6. The money get laundered. 7. The developers and access brokers get paid. 8. The decryption key is provided to the victim. 9. Data is recovered. Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used. Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets. The highlighted section is the only thing we can control, so how can we better understand and defend here?
- Here is a generic *very* high level RaaS workflow. 1. Ransomware dev creates ransomware. They may do exploit dev as well. 2. Ransomware dev works with threat actor/group/access broker. 3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client. 4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted. 5. Victim pays 6. The money get laundered. 7. The developers and access brokers get paid. 8. The decryption key is provided to the victim. 9. Data is recovered. Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used. Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets. The highlighted section is the only thing we can control, so how can we better understand and defend here?
- Here is a generic *very* high level RaaS workflow. 1. Ransomware dev creates ransomware. They may do exploit dev as well. 2. Ransomware dev works with threat actor/group/access broker. 3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client. 4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted. 5. Victim pays 6. The money get laundered. 7. The developers and access brokers get paid. 8. The decryption key is provided to the victim. 9. Data is recovered. Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used. Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets. The highlighted section is the only thing we can control, so how can we better understand and defend here?
- Here is a generic *very* high level RaaS workflow. 1. Ransomware dev creates ransomware. They may do exploit dev as well. 2. Ransomware dev works with threat actor/group/access broker. 3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client. 4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted. 5. Victim pays 6. The money get laundered. 7. The developers and access brokers get paid. 8. The decryption key is provided to the victim. 9. Data is recovered. Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used. Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets. The highlighted section is the only thing we can control, so how can we better understand and defend here?
- Here is a generic *very* high level RaaS workflow. 1. Ransomware dev creates ransomware. They may do exploit dev as well. 2. Ransomware dev works with threat actor/group/access broker. 3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client. 4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted. 5. Victim pays 6. The money get laundered. 7. The developers and access brokers get paid. 8. The decryption key is provided to the victim. 9. Data is recovered. Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used. Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets. The highlighted section is the only thing we can control, so how can we better understand and defend here?
- Here is a generic *very* high level RaaS workflow. 1. Ransomware dev creates ransomware. They may do exploit dev as well. 2. Ransomware dev works with threat actor/group/access broker. 3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client. 4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted. 5. Victim pays 6. The money get laundered. 7. The developers and access brokers get paid. 8. The decryption key is provided to the victim. 9. Data is recovered. Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used. Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets. The highlighted section is the only thing we can control, so how can we better understand and defend here?
- Here is a generic *very* high level RaaS workflow. 1. Ransomware dev creates ransomware. They may do exploit dev as well. 2. Ransomware dev works with threat actor/group/access broker. 3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client. 4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted. 5. Victim pays 6. The money get laundered. 7. The developers and access brokers get paid. 8. The decryption key is provided to the victim. 9. Data is recovered. Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used. Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets. The highlighted section is the only thing we can control, so how can we better understand and defend here?
- Here is a generic *very* high level RaaS workflow. 1. Ransomware dev creates ransomware. They may do exploit dev as well. 2. Ransomware dev works with threat actor/group/access broker. 3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client. 4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted. 5. Victim pays 6. The money get laundered. 7. The developers and access brokers get paid. 8. The decryption key is provided to the victim. 9. Data is recovered. Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used. Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets. The highlighted section is the only thing we can control, so how can we better understand and defend here?
- Here is a generic *very* high level RaaS workflow. 1. Ransomware dev creates ransomware. They may do exploit dev as well. 2. Ransomware dev works with threat actor/group/access broker. 3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client. 4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted. 5. Victim pays 6. The money get laundered. 7. The developers and access brokers get paid. 8. The decryption key is provided to the victim. 9. Data is recovered. Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used. Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets. The highlighted section is the only thing we can control, so how can we better understand and defend here?
- Here is a generic *very* high level RaaS workflow. 1. Ransomware dev creates ransomware. They may do exploit dev as well. 2. Ransomware dev works with threat actor/group/access broker. 3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client. 4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted. 5. Victim pays 6. The money get laundered. 7. The developers and access brokers get paid. 8. The decryption key is provided to the victim. 9. Data is recovered. Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used. Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets. The highlighted section is the only thing we can control, so how can we better understand and defend here?
- 1,000 ransomware threat actors in operation. Russian Sanctions = more IT out of work = more potential hackers Russia was helping the US crack down - https://www.bbc.com/news/technology-59998925 But now they aren’t and the seems to be a resurgence - https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/ Trends towards giving the affiliate control over the whole process. (the threat actor / group / access broker) Additional Notes Number of ransomware attackers actually going through with it: https://www.coveware.com/blog/2022/3/25/how-the-russianukraine-war-may-lead-to-an-explosion-in-ransomware-attacks 1. Conti leak showed 62 individuals associated with the Conti group. Round to 100. 2. FBI IC3 report estimated conti accounted for 13% for ransomware attacks. 3. Coveware estimates there are approx. 1,000 ransomware threat actors in operation. Additional Discussion Eastern Europe/Russian territories have tech savvy populations without enough tech jobs. Coveware speculates that has been driving increase in ransomware attackers. Coveware also speculates that the Russian sanctions will reduce the number of available tech jobs further and drive more to cyber crime.
- 1,000 ransomware threat actors in operation. Russian Sanctions = more IT out of work = more potential hackers Russia was helping the US crack down - https://www.bbc.com/news/technology-59998925 But now they aren’t and the seems to be a resurgence - https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/ Trends towards giving the affiliate control over the whole process. (the threat actor / group / access broker) Additional Notes Number of ransomware attackers actually going through with it: https://www.coveware.com/blog/2022/3/25/how-the-russianukraine-war-may-lead-to-an-explosion-in-ransomware-attacks 1. Conti leak showed 62 individuals associated with the Conti group. Round to 100. 2. FBI IC3 report estimated conti accounted for 13% for ransomware attacks. 3. Coveware estimates there are approx. 1,000 ransomware threat actors in operation. Additional Discussion Eastern Europe/Russian territories have tech savvy populations without enough tech jobs. Coveware speculates that has been driving increase in ransomware attackers. Coveware also speculates that the Russian sanctions will reduce the number of available tech jobs further and drive more to cyber crime.
- 1,000 ransomware threat actors in operation. Russian Sanctions = more IT out of work = more potential hackers Russia was helping the US crack down - https://www.bbc.com/news/technology-59998925 But now they aren’t and the seems to be a resurgence - https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/ Trends towards giving the affiliate control over the whole process. (the threat actor / group / access broker) Additional Notes Number of ransomware attackers actually going through with it: https://www.coveware.com/blog/2022/3/25/how-the-russianukraine-war-may-lead-to-an-explosion-in-ransomware-attacks 1. Conti leak showed 62 individuals associated with the Conti group. Round to 100. 2. FBI IC3 report estimated conti accounted for 13% for ransomware attacks. 3. Coveware estimates there are approx. 1,000 ransomware threat actors in operation. Additional Discussion Eastern Europe/Russian territories have tech savvy populations without enough tech jobs. Coveware speculates that has been driving increase in ransomware attackers. Coveware also speculates that the Russian sanctions will reduce the number of available tech jobs further and drive more to cyber crime.
- Let’s talk about where to start.
- First things first, you need to understand how the detection pipeline works within your environment and understand the different between detection and response nuances. Logging review - You can’t respond to what you can’t see.
- Detection review - Identify potentially malicious behavior based on artifacts, correlations, or anomaly detection.
- Alerts can sometimes use more complex logic than pure detections
- Alerts can sometimes use more complex logic than pure detections
- Use industry reports and intel feeds to help decide how to prioritize you detection development. Focus on the techniques and procedures used the most across the group and those they may be an immediate threat. 6/7 can provide guidance on how to build rules generic
- Threat intel could tell you that MAZE is a threat.
- You can see the common techniques they use.
- And the data sources associated with those techniques.
- Let’s talk about where to start.
- They aren’t using a novel techniques or procedures. What’s in diagram shows they are mostly using techniques and procedures that have been around for the better part of two decades. Let’s use psexec as a case study for procedures dissecting, also called a capability abstract, a term coined by Jared Atkinson.
- Let’s talk about where to start.
- Let’s talk about where to start.
- Let’s talk about where to start.
- All about ttp relationships.
- Single entry to even four
- Add 3 more entry options and now your at 16
- Add 6 more attack phase and you at over 16k Its seem unmanageable…
- But when you over lay your TTP detection coverage you can start to see you blind spots
- But when you over lay your TTP detection coverage you can start to see you blind spots
- But when you over lay your TTP detection coverage you can start to see you blind spots
- But when you over lay your TTP detection coverage you can start to see you blind spots
- Use industry reports and intel feeds to help decide how to prioritize you detection development. Focus on the techniques and procedures used the most across the group and those they may be an immediate threat. 6/7 can provide guidance on how to build rules generic
- It’s getting better, but it’s still not great. That’s why being proactive about building and measuring your capabilities is so important.